Guide

How to audit authorized_keys files

Find SSH access drift before it becomes a security review surprise.

Why authorized_keys audits matter

authorized_keys is the local allowlist for public-key SSH login. Over time it drifts away from reality: old keys stay, duplicates appear, and nobody can explain every line. Regular audits reduce forgotten access and make offboarding less fragile.

Where authorized_keys files live

Typically ~/.ssh/authorized_keys for each user account that accepts key-based login โ€” including root and service accounts. On multi-user servers you may have many files.

sudo find / -path '*/.ssh/authorized_keys' -type f 2>/dev/null

What each line contains

Each non-comment line is usually: optional options, key type, base64 key material, and an optional comment. Options can restrict what the key is allowed to do.

What to look for

Duplicates

The same key repeated wastes space and hints at manual edits without review.

Weak or legacy key types

DSA and short RSA keys should be flagged for rotation or removal.

awk '{print $1}' ~/.ssh/authorized_keys | sort | uniq -c

Unknown comments

Comments like laptop-2019 or temp without an owner are review candidates.

Risky options

Review command=, unrestricted agent forwarding, or keys with no options where you expect restrictions.

Keys for former users or old machines

Cross-check against your team list, asset inventory, and recent offboarding.

How to document findings

Record line number, comment, fingerprint, decision (keep / remove / investigate), and owner. A spreadsheet or ticket per server is enough for small teams.

How often to review access

Quarterly for production servers is a reasonable starting point. Review after incidents, contractor projects, and any offboarding. Ad-hoc audits before compliance reviews catch drift early.

Our authorized_keys Analyzer can speed up a first pass in the browser if you want a quick hygiene check.

Related: stale SSH keys ยท agency client server access

Keep authorized_keys in sync with who should have access

GrantSSH removes keys automatically when permissions end, so audits are about policy โ€” not archaeology.